Blocking Web browser pop-up windows is incorrect because some pop-up windows are crafted to look like legitimate system message boxes or websites and can trick users into going to phony websites, including sites used for phishing, or authorizing changes to their systems, among other malicious actions. Most Web browsers can block pop-up windows; other can do so by adding a third-party pop-up blocker to the Web browser.

117. Which of the following is not a secondary source for malware incident detection?

a. Antivirus software

b. Firewall log files

c. Network-based IPS sensors

d. Capture files from packet sniffers

117. a. Antivirus software is the primary source of data for malware incident detection. Examples of secondary sources include (i) firewall and router log files, which might show blocked connection attempts, (ii) log files from e-mail servers and network-based IPS sensors, which might record e-mail headers or attachment names, (iii) packet capture files from packet sniffers, network-based IPS sensors, and network forensic analysis tools, which might contain a recording of malware-related network traffic. Host-based IPS is also a secondary source.

118. In the application security environment, system or network transparency is achieved through which of the following security principles?

a. Process isolation and hardware segmentation

b. Abstraction and accountability

c. Security kernel and reference monitor

d. Complete mediation and open design

118. a. Transparency is the ability to simplify the task of developing management applications, hiding distribution details. There are different aspects of transparency such as access failure, location, migration replication, and transaction. Transparency means the network components or segments cannot be seen by insiders and outsiders, and that actions of one user group cannot be observed by other user groups. Transparency is achieved through process isolation and hardware segmentation principles.

The principle of process isolation or separation is employed to preserve the object’s wholeness and subject’s adherence to a code of behavior. It is necessary to prevent objects from colliding or interfering with one another and to prevent actions of active agents (subjects) from interfering or colluding with one another.

The principle of hardware segmentation provides hardware transparency when hardware is designed in a modular fashion and yet interconnected. A failure in one module should not affect the operation of other modules. Similarly, a module attacked by an intruder should not compromise the entire system. System architecture should be arranged so that vulnerable networks or network segments can be quickly isolated or taken offline in the event of an attack. Examples of hardware that need to be segmented include network switches, physical circuits, and power supply equipment.

The abstraction principle is related to stepwise refinement and modularity of programs. As the software design evolves, each level of module in a program structure represents a refinement in the level of software abstraction. Abstraction is presented in levels, where a problem is defined and a solution is stated in broad terms at the highest level of abstraction (during requirements and analysis phases) and where source code is generated at the lowest levels of abstraction (during programming phase).

The accountability principle holds an individual responsible for his actions. From this principle, requirements are derived to uniquely identity and authenticate the individual, to authorize his actions within the system, to establish a historical track record or account of these actions and their effects, and to monitor or audit this historical account for deviations from the specified code of action.

The security kernel principle is the central part of a computer system (software and hardware) that implements the fundamental security procedures for controlling access to system resources. The principle of a reference monitor is the primary abstraction enabling an orderly evaluation of a standalone computer system with respect to its abilities to enforce both mandatory and discretionary access controls.

The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces a global perspective for access control, during all functional phases (for example, normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance of changes in authority. The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound basis for secure systems. Open design enables open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of passwords and cryptographic keys, instead of secrecy in design.

119. Which of the following is a reactive countermeasure in defending against worms?

a. Packet filtering firewalls

b. Stackguarding

c. Virus scanning tool

d. Virtual machine

119. c. Virus scanners, being one of reactive (detective) countermeasures, search for “signature strings” or use algorithmic detection methods to identify known viruses. These reactive methods have no hope of preventing fast spreading worms or worms that use zero-day exploits to carry out their attacks.

The other three choices are examples of proactive (preventive) countermeasures. Packet-filtering firewalls block all incoming traffic except what is needed for the functioning of the network. Stackguarding prevents worms from gaining increased privileges on a system. A virtual machine prevents potentially malicious software from using the operating system for illicit actions.

120. Which of the following is better for training IT staff in malware incident handling?

a. Use an isolated test system.

b. Use an infected production system.

c. Keep the test system and the production system physically separate.

d. Keep the test system and the production system logically separate.

120. a. Malware test systems and environments are helpful not only for analyzing current malware threats without the risk of inadvertently causing additional damage to the organization, but also for training staff in malware incident handling. An infected production system or a disk image of an infected production system could also be placed into an isolated test environment. Physical separation may not be possible at all times; although, logical separation might be possible. Both physical and logical separation are important but not as important as using an isolated test system.

121. Which of the following is not part of malware incident detection and analysis phase?

a. Understanding signs of malware incidents

b. Acquiring tools and resources

c. Identifying malware incident characteristics

d. Prioritizing incident response

121. b. Acquiring tools and resources is a part of the preparation phase. These tools and resources may include packet sniffers and protocol analyzers. The other three choices are incorrect because they are a part of the detection phase. The malware incident response life cycle has four phases, including (i) preparation, (ii) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.